nanog mailing list archives
Re: IPv6 point-to-point was: It's Ars Tech's turn to bang the IPv4 exhaustion drum
From: Jeroen Massar <jeroen () unfix org>
Date: Wed, 20 Aug 2008 16:38:15 +0200
michael.dillon () bt com wrote:
matsuzaki-san's preso, i think the copy he will present next week at apops:To summarize, using /64 on a link opens the door to a DOSproblem that we need to pressure the vendors to fix.
How is this not an obvious 'duh' kind of situation that just depends on
doing ones configuration correctly?
A similar problem occurs when one assigns a /48 down the P2P link and
the downstream user has a default route back upstream but doesn't route
the /48 to a loopback, but only routes a part of it (eg a /64 or two). eg:
{ Internet} - { ISP } - { p2p-link } - { customer } - { c1 }
\ { c2 }
p2p-link = 2001:db8:1000::/64 (::1 == ISP, ::2 == Customer)
customer = 2001:db8:2000::/48 via 2001:db8:1000::2
c1 = 2001:db8:2000:1::/64
c2 = 2001:db8:2000:1::/64
Packets from $internet to 2001:db8:2000:1234::1 will travel down to the
customer, who routes it with it's default back up to the p2p-link, where
your correctly configured box will see a source address of $internet and
icmp admin reject it because that is an invalid source address. Indeed
the packet will bounce back up and a third packet (the icmp) will be
sent thus you have an amplification of 3x, but who cares? that is at the
customer link, they should configure that link correctly, and they are
paying you for that link anyway -> their problem, your cash $$$ :)
RPF saves the day here yet again. Remember boys and girls to configure
at least your boxes correctly, don't trust other people to do the same ;)
There are various number of "ISP's" who of course don't do this and
which allow full spoofing from any prefix as they don't do RPF or even
something simple as a "source != 2001:db8::/32" or whatever they have as
their own prefix on their core routers. There of course also "ISP's"
which think they are transits and tunnel to everybody they can find,
these "ISP's" then of course also don't do any spoofing-filtering and
generally have 'customers' that exhibit the same problem, as those just
set a default back upstream. Take a small guess how easy it is to take
those networks off the Internet.... better start fixing that broken setup ;)
Greets, Jeroen
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: It's Ars Tech's turn to bang the IPv4 exhaustion drum, (continued)
- Re: It's Ars Tech's turn to bang the IPv4 exhaustion drum Kevin Oberman (Aug 19)
- Re: It's Ars Tech's turn to bang the IPv4 exhaustion drum Alain Durand (Aug 19)
- Re: It's Ars Tech's turn to bang the IPv4 exhaustion drum Randy Bush (Aug 19)
- Re: It's Ars Tech's turn to bang the IPv4 exhaustion drum Iljitsch van Beijnum (Aug 20)
- Re: It's Ars Tech's turn to bang the IPv4 exhaustion drum Crist Clark (Aug 20)
- Re: It's Ars Tech's turn to bang the IPv4 exhaustion drum Iljitsch van Beijnum (Aug 20)
- Re: It's Ars Tech's turn to bang the IPv4 exhaustion drum Crist Clark (Aug 20)
- Re: It's Ars Tech's turn to bang the IPv4 exhaustion drum Iljitsch van Beijnum (Aug 21)
- Re: It's Ars Tech's turn to bang the IPv4 exhaustion drum Ian Mason (Aug 23)
- Re: It's Ars Tech's turn to bang the IPv4 exhaustion drum Kevin Oberman (Aug 19)
- IPv6 point-to-point was: It's Ars Tech's turn to bang the IPv4 exhaustion drum michael.dillon (Aug 20)
- Re: IPv6 point-to-point was: It's Ars Tech's turn to bang the IPv4 exhaustion drum Jeroen Massar (Aug 20)